jenkins/papr: more PAPR integration improvements

- use ConfigMap to mount PAPR config - add AWS secrets - inject secrets using env vars - let OCP auto-generate PAPR pod names rather than us doing it, which is inherently racy
projectatomic · Apr 10, 2018 · 0889a6a · 0889a6a
1 parent 4a27aab
commit 0889a6a
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 27 deletions.
diff --git a/jenkins/README.md b/jenkins/README.md
@@ -38,11 +38,19 @@ Assuming you already have a cluster set up and running (e.g. `oc cluster up`):
 
 ```
 $ oc new-project projectatomic-ci
-$ echo "$GITHUB_TOKEN" > mytoken
+$ echo -n "$GITHUB_TOKEN" > mytoken
 $ oc secrets new github-token token=mytoken
 $ oc new-app --file paci-jenkins.yaml
 ```
 
+If you're also planning to test publishing results to AWS S3:
+
+```
+$ echo -n "$AWS_ACCESS_KEY_ID" > aws-key-id
+$ echo -n "$AWS_SECRET_ACCESS_KEY" > aws-key-secret
+$ oc secrets new aws-access-key id=aws-key-id secret=aws-key-secret
+```
+
 If your project already exists (e.g. you are not a cluster admin) and it is not
 named `projectatomic-ci`, make sure to pass the `-p NAMESPACE=$project` argument
 to the `new-app` command above. (Though note that the `job-builder` Jenkinsfile
@@ -151,6 +159,12 @@ working OpenShift cluster. See the PAPR
 [instructions](https://github.com/projectatomic/papr/blob/ocp/docs/RUNNING.md)
 for more details on how to get started.
 
+The `papr` service account needs to have a membership in an SCC with `RunAsAny`,
+so that it can run test containers as root, much like Docker. In the
+`oc cluster up` case, this can be done simply by adding the papr service account
+to the `anyuid` SCC. Otherwise, you'll need to ask a cluster administrator to do
+this for you.
+
 To be able to trigger PAPR tests from GHPRB jobs in Jenkins, you simply need to
 build the PAPR image:
 

diff --git a/jenkins/paci-jenkins.yaml b/jenkins/paci-jenkins.yaml
@@ -143,6 +143,20 @@ objects:
   subjects:
   - kind: ServiceAccount
     name: papr
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: papr-config
+  data:
+    config: |
+      github:
+        auth-from-env: true
+      publisher:
+        type: s3
+        config:
+          auth-from-env: true
+          bucket: aos-ci
+          rootdir: ghprb
 - apiVersion: v1
   kind: Route
   metadata:
@@ -245,7 +259,9 @@ objects:
             claimName: ${JENKINS_SERVICE_NAME}
         - name: github-token-mount
           secret:
-            secretName: ${GITHUB_TOKEN_SECRET}
+            # we expect users to have created a secret called github-token with
+            # the key "token" containing the actual token
+            secretName: github-token
         - name: webhook-secret-mount
           secret:
             secretName: webhook-secret
@@ -376,13 +392,6 @@ parameters:
 - description: Git branch/tag reference
   name: PAPR_REPO_REF
   value: master
-- description: >
-    GitHub token secret. This is *not* the token itself. It is the name of the
-    OpenShift secret containing the token, which must be created beforehand. The
-    secret is expected to define a key "token" containing the token.
-  name: GITHUB_TOKEN_SECRET
-  value: github-token
-  required: true
 - description: Shared webhook secret.
   name: GITHUB_WEBHOOK_SHARED_SECRET
   generate: expression

diff --git a/papr/papr-trigger.py b/papr/papr-trigger.py
@@ -19,12 +19,20 @@
 import os
 import sys
 import json
-import uuid
 import argparse
 import tempfile
 import subprocess
 
 
+# XXX: Need to figure out GC strategy for the pod we create here (the "child"
+# pods that PAPR creates are cleaned up by PAPR itself -- once we set up owner
+# references, then even aborted PAPR jobs should end up cleaning child pods
+# when we GC the parent). Maybe a Jenkins job to do this? Would want similar
+# semantics like successfulBuildsHistoryLimit and failedBuildsHistoryLimit.
+# Also note we'll still need this even once we move to Kubernetes Jobs, though
+# owner references are implicitly added for child pods.
+
+
 def main():
 
     args = parse_args()
@@ -50,16 +58,14 @@ def parse_args():
 def generate_papr_pod(args):
     repo_name = args.repo[args.repo.index('/')+1:]
     target_name = args.branch if args.branch else args.pull
-    uuid_name = uuid.uuid4().hex[:6] # XXX: actually check for collision
-    pod_name = "papr-%s-%s-%s" % (repo_name, target_name, uuid_name)
     # XXX: Migrate to Jobs, which have nicer semantics. For now, we're stuck
     # with kube v1.6, which knows jobs, but doesn't support "backoffLimit".
     # https://github.com/kubernetes/kubernetes/issues/30243
     pod = {
         "apiVersion": "v1",
         "kind": "Pod",
         "metadata": {
-            "name": pod_name,
+            "generateName": "papr-%s-%s-" % (repo_name, target_name),
             "labels": {
                 "app": "papr"
             }
@@ -73,26 +79,54 @@ def generate_papr_pod(args):
                     "image": "172.30.1.1:5000/projectatomic-ci/papr",
                     "imagePullPolicy": "Always",
                     "args": ["--debug", "runtest", "--conf",
-                             "/etc/papr.conf", "--repo", args.repo],
-                    # XXX: pvc for git checkout caches
-                    # XXX: mount site.yaml configmap
+                             "/etc/papr/config", "--repo", args.repo],
+                    # XXX: pvc for git checkout caches (but need to add locking)
+                    "env": [
+                        {
+                            "name": "GITHUB_TOKEN",
+                            "valueFrom": {
+                                "secretKeyRef": {
+                                    "name": "github-token",
+                                    "key": "token",
+                                    "optional": False
+                                }
+                            }
+                        },
+                        {
+                            "name": "AWS_ACCESS_KEY_ID",
+                            "valueFrom": {
+                                "secretKeyRef": {
+                                    "name": "aws-access-key",
+                                    "key": "id",
+                                    "optional": False
+                                }
+                            }
+                        },
+                        {
+                            "name": "AWS_SECRET_ACCESS_KEY",
+                            "valueFrom": {
+                                "secretKeyRef": {
+                                    "name": "aws-access-key",
+                                    "key": "secret",
+                                    "optional": False
+                                }
+                            }
+                        }
+                    ],
                     "volumeMounts": [
                         {
-                            "name": "github-token-mount",
-                            "mountPath": "/etc/github-token",
-                            "readOnly": True
+                            "name": "config-mount",
+                            "mountPath": "/etc/papr"
                         }
                     ]
                 }
             ],
             "volumes": [
                 {
-                  "name": "github-token-mount",
-                  "secret": {
-                    # XXX: this is from the template; probably should just
-                      # require the secret to have that exact name
-                    "secretName": "github-token"
-                  }
+                    "name": "config-mount",
+                    "configMap": {
+                        "name": "papr-config"
+                    }
                 }
             ]
         }
@@ -124,8 +158,7 @@ def create_papr_pod(pod):
     with tempfile.TemporaryFile() as tmpf:
         tmpf.write(json.dumps(pod).encode('utf-8'))
         tmpf.seek(0)
-        subprocess.check_output(["oc", "create", "-f", "-"], stdin=tmpf)
-    print(pod["metadata"]["name"])
+        subprocess.check_call(["oc", "create", "-f", "-"], stdin=tmpf)
 
 
 if __name__ == '__main__':